From 2916e5df7e08fc588e752beaf486d907112a34ee Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Thu, 1 Aug 2024 23:06:55 +0200
Subject: feat: Provide CSP nonce as `<meta>` element

This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/private/Security')

diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 2046c240291..993f74ae0e4 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -33,7 +33,8 @@ class ContentSecurityPolicyNonceManager {
 				// Get the token from the CSRF token, we only use the "shared secret" part
 				// as the first part does not add any security / entropy to the token
 				// so it can be ignored to keep the nonce short while keeping the same randomness
-				$this->nonce = end(explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue())));
+				$csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));
+				$this->nonce = end($csrfSecret);
 			} else {
 				$this->nonce = $this->request->server['CSP_NONCE'];
 			}
-- 
cgit v1.2.3